Optimized field reflection. We now delay creating the dynamic methods to access the field until after the field has been accessed a couple of times, this saves a lot of memory for fields that are only usused a few times.

On "Patch Tuesday" two weeks ago Microsoft released security bulletin MS09-061. This bulletin describes three issues, one of which I reported to Microsoft on September 12, 2008. I will describe the details of what is now known as CVE-2009-0091. I have no inside knowledge of the other two vulnerabilities.

As mentioned in the original blog entry, I found the bug while browsing the Rotor sources. Here's the fragment that caught my eye:

// This method will combine this delegate with the passed delegate // to form a new delegate. protected override sealedDelegate CombineImpl(Delegate follow) { // Verify that the types are the same... // Actually, we don't need to do this, because Delegate.Combine already checks this.// if (!InternalEqualTypes(this, follow)// throw new ArgumentException(...)

This is from multicastdelegate.cs (Warning: this link leads to Microsoft Shared Source licensed code).

The code that is commented out is a security check. After seeing this I immediately confirmed (using ildasm) that the, at that time current, production version of mscorlib also didn't include the check. I also checked .NET 1.1 and in that version the check is present. I also checked a pre-release version of Silverlight 2.0 and it also didn't include the check. The subsequent Silverlight 2.0 release on October 14, 2008 included the fix. Microsoft did not find it necessary to credit me with the fix (not even privately).

Why Is This a Security Vulnerability?

In my example type safety exploit, I used a union to bypass type safety. That wasn't an actual security vulnerability because such a union requires full trust. However, if we can combine two different delegate types we can do the same and because of the missing type check this was possible.

If you take TypeSafetyExploitPoC.cs and replace the TypeSystemHole method with the following and add a reference to an assembly containing CombinePoCHelper.il (written in MSIL because that is the easiest way to write your own MulticastDelegate subclass that can call the protected CombineImpl method).

Fixed a regression introduced in 0.40 that caused a System.NotSupportedException to be thrown by ikvmc when compiling multiple targets where one target (indirectly) implements a non-public interface from another target. Thanks to Erik Vullings for reporting this.

Time for another snapshot as there have been a large number of changes since the previous snapshot. The Swing/AWT work that Volker and more recently also Nat have been doing has resulted in SwingSet2 now running quite nicely. Check out these screenshots:

Note that this is running the OpenJDK Swing code, with the GNU Classpath code the source code view and the HTML tab (the blue "Bouncing Babies!" text is HTML rendered in the tab) never worked. So this is great progress, but a lot more is still needed. Keyboard (and focus) support is still lacking and font support is still fairly limited, for example.

Changes:

More AWT/Swing work by Volker Berlin and Nat Luengnaruemitchai.

Fixed detection of dynamic assemblies (at runtime).

Fixed NullReferenceException when getting annotations on delegate constructor for delegates defined in Java.

IKVM.Reflection.Emit.PdbWriter.dll now caches the debugging information, instead of "streaming" it into the unmanged PDB writer to workaround the ridiculous memory usage of the unmanaged PDB writer. It is now possible to build the full core class library assemblies set with debugging enabled.

Fixed major regression in pdb debugging support introduced in 0.40 that caused local variable support to be completely broken.

I'm not a big fan of serialization, but there is one use that makes sense to me; intra-process, cross-AppDomain serialization. If you have ever done any cross-AppDomain work with IKVM you've probably run into the situation where a Java exception couldn't be serialized across the AppDomain boundary.

I've finally addressed this by building automatic (oneway) serialization interop support into IKVM. This means that most Java classes that are serializable should now automatically become .NET serializable. There are, however, some important caveats:

Serialized streams will not be compatible between different IKVM releases. This is intended *only* for cross-AppDomain serialization between different instances of the same IKVM code.

Deserialization ordering may be different, meaning that if a class has a custom deserialization method, it may encounter objects that have not been completely deserialized.

Under some circumstances, a class that implements readResolve() may have its readResolve() method called twice on the same object.

When a ghost array is serialized, it is serialized as an object[] (i.e. it loses its specific type).

Again, any Java class that is serializable (i.e. that implements java.io.Serializable or java.io.Externalizable and follows the associated rules) is generally automatically .NET serializable. There are a couple of exceptions where ikvmc and the runtime will assume that your class wants to handle its own .NET serialization:

MyList is now .NET serializable and exampleField will automatically be serialized/deserialized.

Inheritance - Extending .NET classes in Java

For this scenario, nothing has really changed. You still need to follow the standard .NET rules for creating serializable types.

Serializing .NET objects in Java

The automatic serialization interop is only one way, so you won't be able to serialize .NET objects using Java serialization (unless they happen to implement java.io.Serializable.__Interface or java.io.Externalizable). I currently have no plans to implement this functionality.